Posted
by
timothy
on Tuesday March 25, 2014 @10:40AM
from the $$$-rofl-omg-$$$ dept.

judgecorp (778838) writes "A newly discovered malware attack uses a smartphone connected to the computer that manages an ATM, and then sends an SMS message to instruct it to dispense cash. The attack was reported by Symantec, and builds on a previous piece of malware called Backdoor.Ploutus. It is being used in actual attacks, and Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines."

"The company recommended that ATM operators provide better physical security for the computers controlling the machines, lock down BIOS or system hard drives, deploy lock-down software or upgrade to a supported operating system."

Banks are protected by law enforcement, insurance, etc. They have well established loss rates due to theft, fraud, etc. and they take appropriate measures to address those loss rates.

I, personally, would not want to pay a surcharge on my ATM card or other bank accounts to supplement the current security with "overkill" measures that cost more than they benefit, just for the satisfaction of knowing that crooks can't steal from MY bank.

Overkill such as following standard security protocols and networking and IT basics? Or using 2 decade old smart-card technology that EUROPE has used for 20 years? The solution is to go back to strict bank regulation. They obviously cant be trusted to operate on their own.

It is if some other weakness they've allowed due to the cost/bene analysis leads to someone taking money from my account. Sure, I can get it back, likely without much trouble. But what if a bill came due during the loss and recovery that wasn't paid out and then I get stuck with a late fee and the headache of dealing with that account?

No, more like management oversight, design review, and other bureaucratic steps to ensure that the proper locking doorknob is selected and properly installed. Even if the committee selected a $4.95 knob as proper (which, after examining the situation they probably wouldn't), the overhead costs of all that would amount to thousands of dollars per doorknob effectively installed.

Better than I would like for paying for theoretical "perfect" security on the banking system.

Besides, everybody knows the cops can catch bank robbers, and those same cops actually protect my home - if they weren't out there getting a rep. with hold up artists, people might be more inclined to B&E on private residences.

Banks don't make ATMs. Blaming banks for poor ATM security is, for the most part, like blaming someone who was in an accident because their defective ignition switch shut off the car. Banks need to make sure their ATMs are physically protected and maintained. They do this, for the most part.

Firms like Triton and Diebold build ATMs. That's where change will really have an impact.

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Either way, the bank either charges you higher service fees and lower interest, or it gets private insurance, or it goes crying, Oliver Twist-style, to the government with its hands out. The bank loses nothing. Ever. But they sure tell YOU to take risks!

Like I said, government does not pay for theft. Okay, so it raises service fees or gets private insurance. Are you complaining that their business model is to profit?

They sure aren't very fast or dependable at replacing any money that is stolen through a debit card (such as debt card being used in a fraudulent ATM to skim the PIN).Similarly we all pay increased costs through fees being spread out through the whole customer base for credit card fraud.

No, they socialize that to the government insurance, which you pay for with your taxes. Banks take zero risk here.

Really? You think when a thief steals $1000 from an ATM that the bank gets paid back by the government? What country do you live in? The government insurance only kicks in when a bank actually fails - then the depositors get the money - not the bank.

I seem to remember trillions of dollars in bailout insurance being paid to banks, not the customers through FDIC, while they remained open and more profitable than ever. This is socialized government insurance, where moral hazard is removed and its business as usual.

You mean loaned out to banks. Banks either paid that back or they failed. Most of it was paid back.

You are repeating the banks' talking points. Some of it loaned out. Some of it was given out. Some of it was exchanged for worthless assets.
In the end the bottom line is most people were screwed and the the banks profited.

Were you offered extremely low interest loans which you immediately were allowed to profit massively off of by selling higher interest loans and dissolving your bad investments?

Why didn't the Fed do the right think and allow the irresponsible banks to fail and instead invest those trilli

Funny thing is all the people who scream "socialist" about Obama and the Democrats and even obvious things like nationalizing the failing banks they don't do, rather instead supporting them.Newest American Ambassador to my country is a former Wells Fargo big shot, which shows their true stripes.

I worked for a bank back in the day, was told to make code changes to the online screens to add an extra 'service fee' to the clients account, had to add a checkbox so that it could be switched off if the client complained. Checked it a couple months later, not many people even noticed it or complained, netted them an extra half a mil a month.
Don't trust banks / bankers / insurance / sales people. They do not have your own best interests at heart.

Actually, they do surf the web (or did. I sure hope they fixed it). That is one of the problems with ATMs. The connection with the bank may be secured, but the devices are still attached to the big bad internet. So if you replace a device driver (or add your own piece of hardware), all communication channels are just waiting for you to be abused.

The 7-11 I used to frequent had a ethernet jack near the soda dispensers......this jack was where the nearby ATM was plugged in. It would have been quite easy for me to insert any sort of device between the ATM and the jack. There was enough space between the jack and the ATM and there was also a valid reason for me to be in the area that it wouldn't look like I was doing anything with it. While it wasn't an official bank ATM (unaffiliated), I still could have been malicious had I wanted to. [I also nev

ATM's make heavy use of encryption.
Sensitive data (eg customer PIN) is encrypted so that you can not decode it.
Unencrypted data is not sensitive (eg the dollar amount of the transaction).
Each packet sent to the bank host is digitally signed.
Each packet received from the host is also checked for its digital signature.
The digital signatures have the time as part of the generation algorithm, so replay attacks don't work.
If you monitored traffic on that cable then you would get a log of who took out mone

So there's your attack vector. Note that you may heavily encrypt the output of all the input devices, but with your own device drivers or added hardware there is little you can do about replaying the input signals themselves. Or from "swallowing" the cards and transmitting all the PIN codes.

Do you know how many times I've seen an ATM with the Windows Blue Screen of Death on it?

Not hundreds, but over 30. I have *long* suspected these things are exceedingly vulnerable computers being used when they shouldn't be.

I've been airports and seen the arrivals/departures board showing NT errors. I have seen stuff in shop windows and other stuff showing similar stuff. A lot of medical devices can't be upgraded because the company never certified it beyond a certain level of Windows.

Banks usually make an effort to have physical security, but not so much all the random supermarkets and shops that have an ATM inside.

What is more interesting is that the cash draw is physically secure. The attackers don't bother trying to open it. Instead they attack the control hardware, and you would think they could make that equally secure. It seems that the desire to load firmware updates, or more specifically new advertising on to machines via a simple and largely unprotected USB connection was too m

Yeah, that gives a whole new meaning to the phrase "remote exploit". First you have to have unsupervised physical access to the machine and hook up additional hardware, then you do the remote expliot. If that's the definition of remote exploit, I don' think there's a system on the planet that isn't vulnerable.

Wrong century... ATMs of today are running on off the shelf hardware, with "special" (as in special needs) operating systems (Windows). They have exposed USB ports under the hood and to make it completely idiotic, the only thing locked behind high security is the money. The motherboard is quite often found just under the keypad, which can be accessed by standard keys.

I'm pretty sure that the rationale for slack physical security (other than the cash box) is that the store clerk or the camera pointed at it will discourage people from drilling holes in the CPU.

As per a previous/. article, maybe ATM makers moving to a new OS and PC might help matters. Linux is a good candidate. No AutoRun/AutoPlay capability present for starters (although Windows can have it easily turned off as well.)

Ideally, what might be best is to move to a motherboard that is designed from the grou

Seems to me that it needn't be a smartphone, any device with the proper digital interface can probably do the trick - but it makes better press to say "Force the ATM to dispense cash using SMS..."

I suppose it might make it easier for the crooks to blend in while they take away the loot - just send the SMS while you act like you are doing a legitimate transaction and then walk away with $400. Come back later and do it again, and again... Get a lot of "theft rush" and exposure to potential arrest for your e

"So, this method requires quite a bit of physical access to the ATM. "

I did once peek over the shoulders of a guy servicing one of those in-store ATMs (i.e., one that looks like a stand-alpne cabinet, not one that's integrated into a wall). Apparently, it's not all that tightly locked down, hardware-wise. The guy told me that only the compartment that contains the banknotes and the counting mechanism have heavy physical security, and that he couldn't access that part. That was why he was allowed to service

In the vast majority of atms there is just an ordinary pc running windows xp, they are not secure at all from a tech standpoint. This is about being able to steal in the future. If you come in dressed as the repair guy and hide a phone connected to the pc, you didn't take any money, the money fillers won't notice anything nor any audits if any are done. Then you wait a year or whatever and start stealing from it, if they do manage to figure out it's infected/find the phone, who put it there? Do they sti

I'd think that if you had physical access to the USB port, you would also have physical access to the cash itself and could just take it.

I think that that would be a poor design. One box for the hardware (you don't need armoured car knuckle draggers messing with the electronics), and one box containing the cash (You don't need the maintenance nerds walking away with pocketsfuls of crisp new bills). Both of those would be inside a box that locks out the general public. Actually, I'd probably put the cash inside a box inside the cash portion of the machine, so the armoured car folks are not dealing with cash, but with locked boxes that they

"Symantec has demonstrated it with an ATM in its labs, though it is not revealing the brand of the vulnerable machines . . . because Diebold already has a bad enough reputation with it's e-voting machines.

That was my first guess. My bank uses them, and they are absolutely amazing in terms of completely uninformed user interface design. They've upgraded them over the years and are a little better, but they are just terrible to use physically and electronically. Not really related to hacking, other than by the fact they just don't care about making a quality product.

This is a physical access attack and therefore not very interesting.To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port (or in older versions, a USB stick, or keyboard). They recommend upgrading the OS and securing the hard drive. How about putting epoxy in the computer's device ports?

I'd assume the box that the money is in is secured and had paint or the like that will trigger when it is opened.

Plus you can only do it once and it is very noticeable. Chopping a small hole in the box and secretly installing a small phone you could exploit time and time again without drawing attention from passers by.

As I said above, you can get the access and look like a maintenance tech, then button it up and walk away with big bulges in your pockets.

Come back later, looking innocent, and take a few hundred bucks per transaction. It makes machines that are protected by highly public physical location (most ATMs) more vulnerable to attack in plain sight by innocent looking people.

Sure, you could cut out the cash box and haul ass in a big pickup truck, but somebody would probably notice that something isn't right about

Because this way, assuming they didn't notice the actual hardware in there, you could dispense cash for a long period of time, and get more money. Taking all the cash at once and they would probably notice it. Take $20 once a day, and they might just attribute it to the machine miscounting the bills.

The machine might report cash being taken out; very unfortunate if that happens while you stand there shoving piles of bills into your pockets. Better to install the device and come back at night, with a hoodie over your face, grab all the cash, and run.

These machines rarely miscount, and if it happens once a day, the bank will probably take notice. There was a weird little trick on certain ATMs a while back that let you tease an extra note from the machine, but the banks caught on very quickly.

In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

You could probably spit out several hundred dollars per "pull" with the phone-hack and not raise suspicion - a really good hack would falsify the expected balance, too, so they don't notice the missing cash, but you'd think the guy changing the cash box would notice the thing stuck in the USB port, event

I remember way back in the old days (80s), an ATM that I went to dispensed my cash twice. I took it inside and let them know that I had gotten $80 when the machine told me that I got $40. They had released new ATM software the night before. It was 9 AM and I was the first person to bring it to their attention.

I should also mention that I got one or two "undercounts" during that era... my ATMs were all remotely located from the branches, so reporting wasn't exactly convenient. I figured it all worked out in the end, but I might have come out $20 to $30 ahead, overall.

The swipe your ATM card to checkout at the grocery also failed to process a couple of the earliest transactions (there really was a free lunch, those days...), I waited months and months looking for them to show up on the statements, but they never

In the early days of ATMs (1980s) I used to get "overcounts" about 5% of the time at certain machines... that doesn't happen (to me) as much anymore, but I'm mostly plastic based now, so maybe it still does.

I'm quite surprised how well the ATMs handle the plastic money, especially during this transition phase when it is a mix of paper and plastic. As a human, I have trouble correctly counting the plastic money, it's thinner and sticks to neighbouring bills.

To do this you have to cut the ATM open at the point where the computer is installed and attach a smartphone to the USB port

Which, apparently, might not be as difficult as we think.

Security is only as good as its weakest link, as they say. And if one of these things is in a place where you could get in and out without being observed (because, say, you've got a clone of the key or know how to bypass the lock)... well, then this is going to happen.

Well, not so much. Physical attacks are extremely difficult on ATMs as they are difficult to move or access and usually have dye bombs. The usual approach in the UK is to steal a JCB and van and remove the whole thing. So something like this is definitely an improvement for the attacker.

The ATM has a computer having the operating system and a basic bootstrap software. In fact, the configuration itself it is not located in the ATM but when the ATM is turned on, it is sent to it from the Bank. One important reason is that when somebody steal the ATM, will lost all the configuration including many different types of keys, making the task of opening it or to learn more about the ATM's network behaviour a difficult task.

How does anyone access the USB port of the computer that controls the ATM, without breaching enough physical security that they might as well just grab the money? Sounds like this could only work if an insider at the bank in question smuggles in a phone and hooks it to the computer. You can't just pull up to an ATM and do this.

It comes down to exposure time for the thief. Popping an access plate off the USB ports, plugging in and feeding $20s out, one at a time is going to take a while. The stolen tow truck, chain and winch is much faster.

And they make election equipment, to count votes. Sheeesh!
ATMs I am less worried about because I get my money back when they screw up...
If the theft amount gets too painful, the banks will look a better vendor. And switch to Linux...

"Anyway, anyway, guys guys guys, come on. I'm in this computer, right. So I'm looking around, looking around, you know, throwing commands at it, I don't know where it is or what it does or anything. It's like, it's like choice, it's just beautiful, okay. Like four hours I'm just messing around in there. Finally I figure out, that it's a bank. Right, okay wait, okay, so it's a bank. So, this morning, I look in the paper, some cash machine in like Bumsville Idaho, spits out seven hundred dollars into the midd

If you've ever been the victim of crime you will know the cops do nothing for you. They fill out a report so you can make an insurance claim. That is all. They will give you attitude while doing it. You are bothering them.

Regardless of whether this exploit requires an insider for access to the physical machine, securing $10k-$20k worth of cash with one of the most commonplace operating systems on the planet seems beyond asinine to me.

FWIW, the magic number '5449610000583686' mentioned in the article passes the Luhn Algorithm [wikipedia.org], and is therefore valid as a credit card number. The BIN indicates the card was/would be issued by the following bank, transcribed from this site [bindb.com]:

The SMS is just a way to communicate to the phone. What the hackers have done (if I'm reading the FA correctly) is make a phone pretend to be a USB keyboard attached to the PC in the ATM. The phone can then be set up to send a control sequence to the ATM tell the ATM to spit out money. So the problem has nothing to do with either SMS or Windows XP. If the ATM was VAX or Mac OS or Home brew OS or Linux and you did not lock down the local USB ports then it would have the same issue.

Actually Obama beat Romney by 3.7 % of popular vote, not 1%. And about 100 more electoral college votwa for Obama.
And Reagan's landslide over Mondale was indeed a landslide. Reagan--57% to Mondale's 42%. The only state Mondale took was Minnesota. And in the electoral college Reagan had 97% od the votes.

Seriously? The % variance from election to election is about 2-5%. Has been for years. Our country pretty votes 50/50 for the two parties. The only exception was the 92 election in which periot got a significant amount. It has been this way since the 60s. Even the 'landslide' of Regan vs Mondale was by ~2%.

Accept it. Both dudes lost by a narrow margin. You are clinging to conspiracies because your dude lost. Even the 'crushing victory' in the last two was by ~1%. Voter fraud does exist. However, statistically it is negligible. Even Nate Silver accepts that...

Successful voter fraud is undetectable, and thus immeasurable.You cannot quantify it without verifying individual votes, and you can't do that without tracking each individual vote and removing voter's anonymity.

I am not claiming that it is rampant. I am merely stating the fact that you cannot know how much of a problem it is. Saying it's very rare is as much bullshit as saying it's very frequent.

You can set up systems where it is hard to do fraud and systems where fraud is trivial. That is the problem with most electronic voting so far. How do you ever know if Diebold has a way to flip 1% of the votes? In a close election it doesn't take much to flip the results.Then there is the other types of election fraud, often legal. Gerrymandering, strategic placement of polling station, limiting the number of polling booths in areas are some examples.

Yes, people still use cash. People still use phones to make voice calls. People still commute to work. People still play CDs and DVDs. People still have standard def televisions. People still use cars powered exclusively by internal combustion engines. People still buy things in actual physical stores. People still wear baseball caps with the bills pointed forward. People still take an entire television season to watch a season's worth of television shows. And some people still actually converse wi